She came in through the bathroom window
Following allegations that the FBI paid developers to install a backdoor in OpenBSD, Milena Popova examines the security advantages of open source software
Just over a fortnight ago, it was alleged that the FBI paid developers to put backdoors into the OpenBSD operating system. This story--and OpenBSD's response to the allegations--serves to highlight the importance of open source software.
OpenBSD is one of a number of small and fairly obscure Unix-like operating systems, distinguished by using only open source code, licensed under the BSD License, and taking particular pride in its proactive approach to security.
A former US government contractor contacted the leader of the OpenBSD project, Theo de Raadt, informing him that he believed the FBI had installed a backdoor--a deliberate security vulnerability which they knew how to exploit--in OpenBSD’s encryption programme. It is fair to assume that Microsoft (or any other large proprietary software company), in a similar instance, would set a small army of programmers and software engineers on the code and try to find the vulnerabilities; they would create a fix, and quietly push it out with a service pack or regular update. What I think they would be highly unlikely to do is tell the entire world that there might be a backdoor or security flaw in their system until they were sure they had a fix for it. In the meantime, the computers of millions of people would continue to be vulnerable, with the company’s full knowledge.
This is not how OpenBSD works. The first thing that Theo de Raadt did was tell the world. The logic behind this openness was that users would immediately start auditing the code for the vulnerability (as well making informed choices about whether to continue using the code), and if the allegations were untrue those accused could defend themselves. And although it is highly unlikely that a backdoor--even if it was ever written--made it into OpenBSD’s code base, the increased attention on the code has uncovered a few other issues which are in the process of being fixed.
I find this story fascinating as it illustrates beautifully the advantages of an open approach to security. Open source is a philosophy or approach to making things which provides access to the end product’s source materials - if you buy a garment for instance, you might also get the pattern used to make it; you might get the sheet music or lyrics with your CD. Open source is particularly popular in some software development circles, including OpenBSD developers. Programmers who follow the approach release not only the compiled piece of software (the programme you run on your computer), but also the source code - the basic instructions to the computer which make up that programme. This has a number of advantages: it allows others to learn from your code, it lets them build on it, and it has some very interesting security effects.
Science, academia and education work on a similar principle - sharing knowledge and skills in order to constantly push the boundaries of what we know, whilst allowing for a comprehensive peer-review system. When proprietary software like Microsoft gives me its Windows operating systems, it asks me to blindly trust that there are no vulnerabilities, no backdoors, and no security issues. OpenBSD, Linux, and any number of other open source pieces of software allow me and others to check. if I’m not a coder myself, I am still able to acquire the necessary skills if I really want to, but I can also trust hundreds of independent programmers out there to have checked that code during the development process and after.
Exposing your security solutions to public scrutiny is one of the best ways to stay ahead of the game. This is why RSA Laboratories (the people behind some of the most-widely used encryption on the internet) fund things like the RSA Secret Key Challenge where they actively encourage the general public to have a go at breaking their security.
From a user’s point of view, open platforms are key to being able to take control of your digital rights. If the platform you are using is not open, how are you going to know that the government isn’t spying on you, the software company isn’t keeping an eye on what you’re doing, or a random script kiddie isn’t stealing your credit card data as you order that book on security engineering from Amazon?
Share this article
Wendy M. Grossman responds to "loopy" statements made by Google Executive Chairman Eric Schmidt in regards to censorship and encryption.
ORGZine: the Digital Rights magazine written for and by Open Rights Group supporters and engaged experts expressing their personal views
People who have written us are: campaigners, inventors, legal professionals , artists, writers, curators and publishers, technology experts, volunteers, think tanks, MPs, journalists and ORG supporters.